Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

libjpeg-turbo 1.5.1 - Denial of Service

🗓️ 28 Jul 2017 00:00:00Reported by qflb.wuType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 49 Views

libjpeg-turbo 1.5.1 denial of service vulnerability via crafted jpg fil

Related
Code
ReporterTitlePublishedViews
Family
0day.today		libjpeg-turbo 1.5.1 - Denial of Service Vulnerability
28 Jul 201700:00
zdt
ATTACKERKB		CVE-2017-9614
27 Jul 201706:29
attackerkb
CNVD		libjpeg-turbo Denial of Service Vulnerability
27 Jul 201700:00
cnvd
CVE		CVE-2017-9614
27 Jul 201706:00
cve
Cvelist		CVE-2017-9614
27 Jul 201706:00
cvelist
exploitpack		libjpeg-turbo 1.5.1 - Denial of Service
28 Jul 201700:00
exploitpack
NVD		CVE-2017-9614
27 Jul 201706:29
nvd
OSV		BELL-CVE-2017-9614 CVE-2017-9614 does not affect BellSoft software
27 Jul 201706:29
osv
Prion		Design/Logic Flaw
27 Jul 201706:29
prion
Positive Technologies		PT-2017-19073 · Libjpeg Turbo +1 · Libjpeg-Turbo +1
27 Jul 201700:00
ptsecurity
Rows per page
libjpeg-turbo denial of service vulnerability
======================
Author : qflb.wu
CVE    : CVE-2017-9614
======================


Introduction:
=============
libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX, SSE2, AVX2, NEON, AltiVec) to accelerate baseline JPEG compression and decompression on x86, x86-64, ARM, and PowerPC systems.


Affected version:
=====
1.5.1


Vulnerability Description:
==========================
the fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 can cause a denial of service(invalid address and application crash) via a crafted jpg file.


I found this bug when I test stills2dv-alpha-0.601 which used the libjpeg-turbo.


./stills2dv exampleworkfile.s2d


(the exampleworkfile.s2d contains the path of the poc jpg file)


----debug info:----
gdb-peda$ bt
#0  __memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:166
#1  0x00007ffff6d82323 in __GI__IO_file_xsgetn (fp=0x61c370, 
    data=<optimized out>, n=0x1000) at fileops.c:1387
#2  0x00007ffff6d7786f in __GI__IO_fread (buf=<optimized out>, size=0x1, 
    count=0x1000, fp=0x61c370) at iofread.c:42
#3  0x00007ffff7b6e23b in fill_input_buffer (cinfo=0x7fffffffe190)
    at jdatasrc.c:107
#4  0x00007ffff7b7beef in get_dqt (cinfo=0x7fffffffe190) at jdmarker.c:516
#5  0x00007ffff7b7dba3 in read_markers (cinfo=0x7fffffffe190)
    at jdmarker.c:1050
#6  0x00007ffff7b795fd in consume_markers (cinfo=0x7fffffffe190)
    at jdinput.c:320
#7  0x00007ffff7b6c853 in jpeg_finish_decompress (cinfo=0x7fffffffe190)
    at jdapimin.c:399
#8  0x0000000000402da0 in readjpg (
    fn=fn@entry=0x61c2f4 "example_data_files/test.jpg") at s2d_jpg.c:148
#9  0x0000000000403c5b in openImage (
    fn=0x61c2f4 "example_data_files/test.jpg", cache=0xffffffff)
    at s2d_main.c:202
#10 0x00000000004063a5 in splitted2struct (p=p@entry=0x60acc0 <ms>, 
    strs=strs@entry=0x61c2a0) at s2d_main.c:1139
#11 0x000000000040240b in main (argc=argc@entry=0x2, 
    argv=argv@entry=0x7fffffffe5f8) at s2d_main.c:1404
#12 0x00007ffff6d2af45 in __libc_start_main (main=0x402040 <main>, argc=0x2, 
    argv=0x7fffffffe5f8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe5e8) at libc-start.c:287
#13 0x0000000000402500 in _start ()




=================================================================================
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00007ffff7b6e233107  nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE);
gdb-peda$ 
[----------------------------------registers-----------------------------------]
RAX: 0x61ce30 --> 0x464a1000e0ffd8ff 
RBX: 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push   rbp)
RCX: 0x61c370 ("example_data_files/test.jpg")
RDX: 0x1000 
RSI: 0x1 
RDI: 0x61ce30 --> 0x464a1000e0ffd8ff 
RBP: 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg")
RSP: 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0 
RIP: 0x7ffff7b6e236 (<fill_input_buffer+56>
R8 : 0x67706a2e747365 ('est.jpg')
R9 : 0x7ffff70ca7b8 --> 0x623770 --> 0x0 
R10: 0x7fffffffde90 --> 0x0 
R11: 0x7ffff7b6c74c (<jpeg_finish_decompress>:push   rbp)
R12: 0x61c2f4 ("example_data_files/test.jpg")
R13: 0x61c5b0 --> 0x61c370 ("example_data_files/test.jpg")
R14: 0xc00 ('')
R15: 0x3
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b6e229 <fill_input_buffer+43>:mov    edx,0x1000
   0x7ffff7b6e22e <fill_input_buffer+48>:mov    esi,0x1
   0x7ffff7b6e233 <fill_input_buffer+53>:mov    rdi,rax
=> 0x7ffff7b6e236 <fill_input_buffer+56>:
    call   0x7ffff7b477f0 <fread@plt>
   0x7ffff7b6e23b <fill_input_buffer+61>:mov    QWORD PTR [rbp-0x10],rax
   0x7ffff7b6e23f <fill_input_buffer+65>:cmp    QWORD PTR [rbp-0x10],0x0
   0x7ffff7b6e244 <fill_input_buffer+70>:
    jne    0x7ffff7b6e2bb <fill_input_buffer+189>
   0x7ffff7b6e246 <fill_input_buffer+72>:mov    rax,QWORD PTR [rbp-0x8]
Guessed arguments:
arg[0]: 0x61ce30 --> 0x464a1000e0ffd8ff 
arg[1]: 0x1 
arg[2]: 0x1000 
arg[3]: 0x61c370 ("example_data_files/test.jpg")
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0 
0008| 0x7fffffffdfd8 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push   rbp)
0016| 0x7fffffffdfe0 --> 0x5bffffe0bc 
0024| 0x7fffffffdfe8 --> 0x61c880 --> 0x61d028 --> 0x0 
0032| 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg")
0040| 0x7fffffffdff8 --> 0x7ffff7b7beef (<get_dqt+71>:test   eax,eax)
0048| 0x7fffffffe000 --> 0x0 
0056| 0x7fffffffe008 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push   rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00007ffff7b6e236107  nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE);
gdb-peda$ x/20x $rdi
0x61ce30:0x464a1000e0ffd8ff0x1c00020101004649
0x61ce40:0x4300dbff00001c000x28191e231e1c2800
0x61ce50:0x3c30282b2d2321230x587b3c37373c4164
0x61ce60:0x8f9699809164495d0xa0c3e6b4a08a8c80
0x61ce70:0xcbffc88c8aaddaaa0xc19bfffffff5eeda
0x61ce80:0xfffde6fffaffffff0x2d2b014300dbfff8
0x61ce90:0x764141763c353c2d0xf8f8f8f8a58ca5f8
0x61cea0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8
0x61ceb0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8
0x61cec0:0xf8f8f8f8f8f8f8f80xc0fff8f8f8f8f8f8


gdb-peda$ ni
Program received signal SIGSEGV, Segmentation fault.


POC:
test.jpg;exampleworkfile.s2d
CVE:
CVE-2017-9614


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42391.zip

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Jul 2017 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 26.8
CVSS 3.18.8
EPSS0.04338
libjpeg-turbodenial of servicevulnerabilitycrafted jpg filesimd instructionsapplication crashcve-2017-9614
49